> In the case of SONY, the attackers were able to enter the network through spearphishing emails - something that essentially no investment in security is going to prevent.
Investment can make spearphishing much harder. Defense is not always absolute, but about raising the cost for the attacker.
I agree that all security is a cost-benefit tradeoff. This is of course folklore wisdom. The importance with regard to the SONY case is that SONY was not the victim of an opportunistic attack but was targeted specifically. In this case, it is highly likely that SONY did invest in training its employees in corporate policy and security awareness (at least as much as any other corporation).
I have trouble thinking of a cost-effective way that SONY could have prevented #GOP from getting in.
IMO SONY had two failures:
1.) The hording of data. Again I don't think that this is uncommon. I would expect to see this at pretty much any company of their size.
2.) The lack of an ability to respond to the APT once it was discovered. This is extremely tricky business, but a critical piece of security. It is common now for businesses to assume that they have been compromised and to build out the capability to recover and isolate issues as quickly as possible. Unfortunately for SONY, all of their data had been exfiltrated out of the network by the time they knew there was a problem.
Nothing is different if they are also targeted specifically.
The context of the discussion is that SONY, even if it 'increased spending on defense' would have been compromised because it was targeted in an attack rather than an attack of opportunity.
Amazon and Google also get hacked. So does Adobe and Microsoft. So does the DoD and Whitehouse. So does JPMorgan and Wallstreet.
Investment can make spearphishing much harder. Defense is not always absolute, but about raising the cost for the attacker.